S
S
-
-
1
1
0
0
S
S
P
PO
The Next Wave of Cybersecurity
NAVIGATING UNCHARTED
CYBER WATERS
Agencies are looking for innovative ways to plot a course through a seemingly limitless ocean of cyberthreats
NEXT-GENERATION technologies such as artificial intelligence, cloud and the internet of things have the
potential to revolutionize the government’s ability to fulfill its missions. But the tools that present such promise also create cyber risks.
Modern technologies challenge the perimeter-based security that agencies relied on for years when IT resources were on- premises and comparatively easy to contain. Today, mobility reigns, and cloud technology enables government employees to work from anywhere.
Consequently, agencies must continue to protect on-site IT systems while they also find ways to secure user activity that is happening far outside the data center.
Meanwhile, adversaries have modernized, too, and the growing sophistication of cyberattacks is making it harder for the government to stay ahead of threats. To avoid security blind spots, agencies must address a long list of challenges, including
maintaining visibility into a complex mix of cloud and on-premises systems.
Aligning policies with today’s IT environments
In a recent survey of FCW readers, 83% of respondents said their agencies had well- defined strategies for modernizing their approach to cybersecurity. In addition,
29% used AI/machine learning, 51% used automated threat response, and 29% said their agencies had adopted zero trust.
The National Institute of Standards and Technology defines zero trust as “an evolving set of cybersecurity paradigms that move network defenses from static, network-based perimeters to focus on users, assets and resources.”
The second draft of NIST’s Special Publication 800-207 further states that the approach “assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local-area networks versus the internet).” Authentication and authorization of users
and devices must happen every time a connection to an enterprise resource is
established, and the subsequent activity
must be continuously monitored.
According to NIST, numerous policies have
pushed agencies toward a zero trust mindset for more than a decade, including the Federal Information Security Modernization Act; Risk Management Framework; Federal Identity, Credential and Access Management; Trusted Internet Connections (TIC); and Continuous Diagnostics and Mitigation.
However, NIST notes that those programs typically reflected the technical capabilities of information systems at the time they were developed: “Security policies were largely static and were enforced at large ‘choke points’ that an enterprise could control to get the largest effect for the effort.” Fortunately, advances in technology are making it possible “to continually analyze and evaluate access requests in a dynamic and granular fashion.”
The government is making an effort to bring policies into alignment with today’s IT environments. For example, the updated TIC 3.0 was released this year to allow agencies “to place security capabilities
closer to the data using trust
zones, policy enforcement points
and use cases rather than force
the rerouting of data to the
inspection sensors,”
ON
NS
S
O
OR
RE
ED
DC
CO
O
N
N
T
T
E
E
N
NT
T
Shutterstock/FCW Staff